gpg --refresh with large keyrings and hkps in 2.1.1

Ben McGinnes ben at
Tue Apr 21 03:19:24 CEST 2015

On 20/04/2015 7:17 pm, Guilhem Moulin wrote:
> On Thu, 16 Apr 2015 at 08:49:50 +1000, Ben McGinnes wrote:
>> On 16/04/2015 7:17 am, Daniel Kahn Gillmor wrote:
>>> Tor circuits to a particular endpoint are likely to be stable over the
>>> period of time it would take to fetch the whole keyring.
>> In a country with a decent Internet connection, sure.  Over here in
>> Australia, however, you can be pretty sure that you'll hit the ten
>> minute window more than once.
> Doesn't gpg use a single connection for the whole --refresh-keys?  AFIK
> the 10min windows (‘MaxCircuitDirtiness’ in the torrc) is only relevant
> for new connections; I doubt tor client kills existing TCP connections
> when updating circuits.

Hmm, that's a good point, it means the only guaranteed way around that
is one of the lesser used current work arounds (a python script using
requests and python-gnupg to get the keylist and grab keys

> To force a circuit update each 10min, you could refresh your keyring one
> key at a time.  Or use a tool like parcimonie [0], or simply use the
> gnupg-curl module with a different SOCKS5 username/password for each key
> (assuming the ‘IsolateSOCKSAuth’ flag is set in your torrc, which is the
> default):

The requests method above definitely works, with the tor socks
settings being used like any proxy parameter is with requests.

>     gpg --http-proxy=socks5h://$FPR:$RANDOM@ --recv-key $FPR
> Unfortunately this is broken with 2.1, because dirmngr currently doesn't
> honor --http-proxy  (Issue1786).

Which means I could presumably adapt my proxychains rule to that
method in the mean time.  I doubt there is much point, though, I
expect a number of these network related issues will be fixed before I
desperately need a full key refresh.  Still, these bits are useful and
duly filed away for the future, cheers.  :)

Hopefully one of the top ones on Werner's list is the TLS connections,
as that is almost certainly more important than an edge case like tor.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 630 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20150421/f58e6eda/attachment.sig>

More information about the Gnupg-devel mailing list